Total
716 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-39921 | 1 Fujitsu | 38 Ipcom Ex2 Dc 3200, Ipcom Ex2 Dc 3200 Firmware, Ipcom Ex2 Dc 3500 and 35 more | 2025-03-13 | 7.5 High |
| Observable timing discrepancy issue exists in IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to V02L21NF0301, and IPCOM VE2 Series V01L04NF0001 to V01L06NF0112. If this vulnerability is exploited, some of the encrypted communication may be decrypted by an attacker who can obtain the contents of the communication. | ||||
| CVE-2022-39228 | 1 Vantage6 | 1 Vantage6 | 2025-03-07 | 5.3 Medium |
| vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This issue has been fixed in version 3.8.0. | ||||
| CVE-2021-29621 | 2 Apache, Dpgaspar | 2 Airflow, Flask-appbuilder | 2025-03-07 | 5.3 Medium |
| Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve. | ||||
| CVE-2023-25806 | 1 Amazon | 2 Opensearch, Opensearch Security | 2025-03-05 | 5.3 Medium |
| OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the internal basic identity provider (IdP), and not other externally configured IdPs. Patches were released in versions 1.3.9 and 2.6.0, there are no workarounds. | ||||
| CVE-2024-45089 | 1 Ibm | 1 Sterling B2b Integrator | 2025-03-05 | 4.3 Medium |
| IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.3 Standard Edition EBICS server could allow an authenticated user to obtain sensitive filename information due to an observable discrepancy. | ||||
| CVE-2021-46876 | 1 Ibexa | 1 Ez Platform Kernel | 2025-03-05 | 5.3 Medium |
| An issue was discovered in eZ Publish Ibexa Kernel before 7.5.15.1. The /user/sessions endpoint can be abused to determine account existence. | ||||
| CVE-2023-37413 | 1 Ibm | 1 Aspera Faspex | 2025-03-04 | 5.3 Medium |
| IBM Aspera Faspex 5.0.0 through 5.0.10 could disclose sensitive username information due to an observable response discrepancy. | ||||
| CVE-2024-41335 | 2025-02-28 | 7.5 High | ||
| Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks. | ||||
| CVE-2024-36996 | 1 Splunk | 3 Splunk, Splunk Cloud Platform, Splunk Enterprise | 2025-02-28 | 5.3 Medium |
| In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109, an attacker could determine whether or not another user exists on the instance by deciphering the error response that they would likely receive from the instance when they attempt to log in. This disclosure could then lead to additional brute-force password-guessing attacks. This vulnerability would require that the Splunk platform instance uses the Security Assertion Markup Language (SAML) authentication scheme. | ||||
| CVE-2022-25332 | 1 Ti | 2 Omap L138, Omap L138 Firmware | 2025-02-27 | 4.4 Medium |
| The AES implementation in the Texas Instruments OMAP L138 (secure variants), present in mask ROM, suffers from a timing side channel which can be exploited by an adversary with non-secure supervisor privileges by managing cache contents and collecting timing information for different ciphertext inputs. Using this side channel, the SK_LOAD secure kernel routine can be used to recover the Customer Encryption Key (CEK). | ||||
| CVE-2023-1538 | 1 Answer | 1 Answer | 2025-02-27 | 5.3 Medium |
| Observable Timing Discrepancy in GitHub repository answerdev/answer prior to 1.0.6. | ||||
| CVE-2023-1540 | 1 Answer | 1 Answer | 2025-02-25 | 5.3 Medium |
| Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6. | ||||
| CVE-2025-24011 | 1 Umbraco | 1 Umbraco Cms | 2025-02-20 | 5.3 Medium |
| Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. | ||||
| CVE-2022-41354 | 2 Linuxfoundation, Redhat | 2 Argo-cd, Openshift Gitops | 2025-02-19 | 4.3 Medium |
| An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications. | ||||
| CVE-2023-26071 | 1 Harpaitalia | 1 Mcuboict | 2025-02-19 | 7.5 High |
| An issue was discovered in MCUBO ICT through 10.12.4 (aka 6.0.2). An Observable Response Discrepancy can occur under the login web page. In particular, the web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor. That allow an unauthorized actor to perform User Enumeration attacks. | ||||
| CVE-2024-27839 | 1 Apple | 3 Ipad Os, Ipados, Iphone Os | 2025-02-13 | 5.5 Medium |
| A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in iOS 17.5 and iPadOS 17.5. A malicious application may be able to determine a user's current location. | ||||
| CVE-2023-6135 | 2 Mozilla, Redhat | 6 Firefox, Enterprise Linux, Rhel Aus and 3 more | 2025-02-13 | 4.3 Medium |
| Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121. | ||||
| CVE-2023-5722 | 1 Mozilla | 1 Firefox | 2025-02-13 | 5.3 Medium |
| Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header. This vulnerability affects Firefox < 119. | ||||
| CVE-2023-3897 | 1 42gears | 1 Suremdm | 2025-02-13 | 4.8 Medium |
| Username enumeration is possible through Bypassing CAPTCHA in On-premise SureMDM Solution on Windows deployment allows attacker to enumerate local user information via error message. This issue affects SureMDM On-premise: 6.31 and below version | ||||
| CVE-2023-1998 | 3 Debian, Linux, Redhat | 5 Debian Linux, Linux Kernel, Enterprise Linux and 2 more | 2025-02-13 | 5.6 Medium |
| The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. | ||||